Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -453,8 +453,11 @@ defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer S
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,1,Lolbin Jsc.exe compile javascript to exe,1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8,command_prompt
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,2,Lolbin Jsc.exe compile javascript to dll,3fc9fea2-871d-414d-8ef6-02e85e322b80,command_prompt
 defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -643,8 +646,11 @@ privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection
 privilege-escalation,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -931,8 +937,11 @@ persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82
 persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-persistence,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-persistence,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -1510,8 +1519,11 @@ initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service A
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-initial-access,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-initial-access,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -64,6 +64,9 @@ defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,5,Hidden
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 collection,T1560.001,Archive Collected Data: Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
@@ -102,6 +105,9 @@ persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,
 persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
 persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
@@ -129,6 +135,9 @@ privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Appl
 privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
 credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
 credential-access,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
@@ -204,6 +213,9 @@ execution,T1569.001,System Services: Launchctl,1,Launchctl,6fb61988-724e-4755-a5
 execution,T1059.004,Command and Scripting Interpreter: Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
 initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -330,8 +330,8 @@ defense-evasion,T1055.001,Process Injection: Dynamic-link Library Injection,2,Wi
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,1,Lolbin Jsc.exe compile javascript to exe,1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8,command_prompt
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,2,Lolbin Jsc.exe compile javascript to dll,3fc9fea2-871d-414d-8ef6-02e85e322b80,command_prompt
 defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -466,8 +466,8 @@ privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection
 privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
 privilege-escalation,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -665,8 +665,8 @@ persistence,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify R
 persistence,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-persistence,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-persistence,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -1067,8 +1067,8 @@ initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Sour
 initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-initial-access,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-initial-access,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
 exfiltration,T1041,Exfiltration Over C2 Channel,1,C2 Data Exfiltration,d1253f6e-c29b-49dc-b466-2147a6191932,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -665,8 +665,11 @@
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md)
   - Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
@@ -986,8 +989,11 @@
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -1497,8 +1503,11 @@
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -2460,8 +2469,11 @@
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 
 # exfiltration
 - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -157,6 +157,9 @@
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # collection
@@ -303,6 +306,9 @@
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
 
 # privilege-escalation
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -377,6 +383,9 @@
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
 
 # credential-access
 - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -662,6 +671,9 @@
 - T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
 
 # exfiltration
 - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -492,8 +492,8 @@
 - T1118 InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md)
   - Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
@@ -721,8 +721,8 @@
   - Atomic Test #1: Netsh Helper DLL Registration [windows]
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -1075,8 +1075,8 @@
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -1742,8 +1742,8 @@
 - T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 
 # exfiltration
 - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -27192,6 +27192,45 @@ defense-evasion:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
     - name: WinPwn - Loot local Credentials - powerhell kittie
       auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
       description: Loot local Credentials - powerhell kittie technique via function
@@ -42619,6 +42658,45 @@ privilege-escalation:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
     - name: WinPwn - Loot local Credentials - powerhell kittie
       auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
       description: Loot local Credentials - powerhell kittie technique via function
@@ -67134,6 +67212,45 @@ persistence:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
     - name: WinPwn - Loot local Credentials - powerhell kittie
       auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
       description: Loot local Credentials - powerhell kittie technique via function
@@ -104979,6 +105096,45 @@ initial-access:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
     - name: WinPwn - Loot local Credentials - powerhell kittie
       auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
       description: Loot local Credentials - powerhell kittie technique via function

atomics/Indexes/macos-index.yaml

@@ -16429,6 +16429,45 @@ defense-evasion:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
   T1211:
     technique:
       x_mitre_platforms:
@@ -26969,6 +27008,45 @@ privilege-escalation:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
   T1574.012:
     technique:
       x_mitre_platforms:
@@ -43386,6 +43464,45 @@ persistence:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
   T1574.012:
     technique:
       x_mitre_platforms:
@@ -68049,6 +68166,45 @@ initial-access:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
 exfiltration:
   T1567:
     technique:

atomics/T1078.003/T1078.003.md

@@ -10,9 +10,15 @@ Local Accounts may also be abused to elevate privileges and harvest credentials
 
 - [Atomic Test #2 - Create local account with admin privileges - MacOS](#atomic-test-2---create-local-account-with-admin-privileges---macos)
 
-- [Atomic Test #3 - WinPwn - Loot local Credentials - powerhell kittie](#atomic-test-3---winpwn---loot-local-credentials---powerhell-kittie)
+- [Atomic Test #3 - Create local account with admin privileges using sysadminctl utility - MacOS](#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos)
 
-- [Atomic Test #4 - WinPwn - Loot local Credentials - Safetykatz](#atomic-test-4---winpwn---loot-local-credentials---safetykatz)
+- [Atomic Test #4 - Enable root account using dsenableroot utility - MacOS](#atomic-test-4---enable-root-account-using-dsenableroot-utility---macos)
+
+- [Atomic Test #5 - Add a new/existing user to the admin group using dseditgroup utility - macOS](#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos)
+
+- [Atomic Test #6 - WinPwn - Loot local Credentials - powerhell kittie](#atomic-test-6---winpwn---loot-local-credentials---powerhell-kittie)
+
+- [Atomic Test #7 - WinPwn - Loot local Credentials - Safetykatz](#atomic-test-7---winpwn---loot-local-credentials---safetykatz)
 
 
 <br/>
@@ -96,7 +102,105 @@ sudo dscl . -delete /Users/AtomicUser
 <br/>
 <br/>
 
-## Atomic Test #3 - WinPwn - Loot local Credentials - powerhell kittie
+## Atomic Test #3 - Create local account with admin privileges using sysadminctl utility - MacOS
+After execution the new account will be active and added to the Administrators group
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 191db57d-091a-47d5-99f3-97fde53de505
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sysadminctl interactive -addUser art-tester -fullName ARTUser -password !pass123! -admin
+```
+
+#### Cleanup Commands:
+```bash
+sysadminctl interactive -deleteUser art-tester
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Enable root account using dsenableroot utility - MacOS
+After execution the current/new user will have root access
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 20b40ea9-0e17-4155-b8e6-244911a678ac
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+dsenableroot #current user
+dsenableroot -u art-tester -p art-tester -r art-root #new user
+```
+
+#### Cleanup Commands:
+```bash
+dsenableroot -d #current user
+dsenableroot -d -u art-tester -p art-tester #new user
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Add a new/existing user to the admin group using dseditgroup utility - macOS
+After execution the current/new user will be added to the Admin group
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 433842ba-e796-4fd5-a14f-95d3a1970875
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+dseditgroup -o edit -a art-user -t user admin
+```
+
+#### Cleanup Commands:
+```bash
+dseditgroup -o edit -d art-user -t user admin
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - WinPwn - Loot local Credentials - powerhell kittie
 Loot local Credentials - powerhell kittie technique via function of WinPwn
 
 **Supported Platforms:** Windows
@@ -126,7 +230,7 @@ obfuskittiedump -consoleoutput -noninteractive
 <br/>
 <br/>
 
-## Atomic Test #4 - WinPwn - Loot local Credentials - Safetykatz
+## Atomic Test #7 - WinPwn - Loot local Credentials - Safetykatz
 Loot local Credentials - Safetykatz technique via function of WinPwn
 
 **Supported Platforms:** Windows